Cart66 Vulnerability Follow-up

Cart66 released a new version this morning, addressing the vulnerability I posted about yesterday. A one-day turn-around to address a security issue is excellent (even if the stink from 9 months of inattention hasn’t fully dissipated yet). I’m disappointed I had to resort to a public warning to get action but glad that action was taken (and glad to see the Cart66 folks making the right general noises about the importance of security).

While I’m glad a new version is out to address the vulnerability, I think it was a mistake to release any information about the nature of the exploit today (the same day that the fix is available). I would have favored:

  1. Release the new version with the explanation that this fixes a security vulnerability and everyone should upgrade right away.
  2. Wait for a week to allow your customers time to upgrade.
  3. Then release the details of the exploit.

As a customer, I’m surprised I haven’t (as of this writing) received a notification warning me of the vulnerability and urging me to upgrade.1 I believe it’s the responsibility of a software provider to reach out to their customers to warn them about security issues before disclosing the details of them publicly.

Cart66 has already generally disclosed what the vulnerability is, but they didn’t go into much detail about how it could be exploited. The “black hat” folks will likely figure it out anyway, but I’m going to hold off sharing any details of it until next week. I think it is appropriate to outline how this can be exploited to help provide some context to Cart66 customers, but I don’t want to be the one making it more likely that people will exploit the vulnerability on their sites.

While I am generally willing to take the explanation of how this vulnerability was allowed to remain unaddressed for such a long time at face value, I also believe this shows a fundamental lack of emphasis on security throughout the Cart66 organization. Someone received my email, replied that this was already a known problem, then nothing happend. Who knows, perhaps the people involved with that response aren’t even with the company anymore, but I’m pretty darn sure that this wouldn’t happen in my shop. A security vulnerability is a “Drop everything, get it patched and get a new release out. NOW!” situation. I will take them at their word that they are working to address this internally, but I’m still not comfortable with what their response (or lack thereof) says about their culture.

If I were advising the Cart66 team, I would tell them they need to take additional steps to make it clear to their customers that they are taking security seriously. I would recommend hiring Mark Jaquith (or another reputable consultant or firm) to do a full security audit of their code and product architecture.

I would also create and publish a process by which developers can responsibly submit security concerns, patches, etc. This should be easy to find on the Cart66 website.

Lastly, I would establish the process by which security issues are communicated to customers (a mailing list, or similar). In the case of responsibly disclosed vulnerabilities, this should include giving customers reasonable time to upgrade before publishing any details of an exploit.

All software has bugs, and some of these bugs have security ramifications. How you deal with them (and how you work with your customers when they are found) is what builds or destroys your reputation.

  1. I did receive an email response to my ticket about the new release, but that didn’t go to all customers